#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
#
# Website  : https://cisofy.com
# Blog     : http://linux-audit.com
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Data upload
#
#################################################################################
#
    InsertSection "${SECTION_DATA_UPLOAD}"

    PROGRAM_VERSION="105"

    # Data upload destination
    if [ "${UPLOAD_SERVER}" = "" ]; then UPLOAD_SERVER="portal.cisofy.com"; fi
    UPLOAD_URL="https://${UPLOAD_SERVER}/upload/"
    LogText "Upload server: ${UPLOAD_SERVER}"
    LogText "URL to upload to: ${UPLOAD_URL}"

    # License server (set to upload server if not configured)
    if [ "${LICENSE_SERVER}" = "" ]; then LICENSE_SERVER="${UPLOAD_SERVER}"; fi
    LICENSE_SERVER_URL="https://${LICENSE_SERVER}/license/"
    LogText "License server: ${LICENSE_SERVER}"

    # Additional options to curl
    if [ "${UPLOAD_OPTIONS}" = "" ]; then
        CURL_OPTIONS=""
    else
        CURL_OPTIONS=" ${UPLOAD_OPTIONS}"
    fi

    SETTINGS_FILE="${PROFILE}"
    #if [ "${UPLOAD_TOOL}" = "" ]; then UPLOAD_TOOL="${CURLBINARY}"; fi

    # Only output text to stdout if DEBUG mode is not used
    Output() {
        if [ ${DEBUG} -eq 1 ]; then echo "$1"; fi
    }

#####################################################################################
#
# SYSTEM CHECKS
#
#####################################################################################

    Output "Lynis Enterprise data uploader starting"
    Output "Settings file: ${SETTINGS_FILE}"

    # Check if we can find curl
    # Suggestion: If you want to keep the system hardened, copying the binary from a trusted source is a good alternative.
    #             Restrict access to this binary to the user who is running this script.
    if IsEmpty "${CURLBINARY}"; then
        echo "Fatal: can't find curl binary. Please install the related package or put the binary in the PATH. Quitting.."
        LogText "Error: Could not find cURL binary"
        exit 1
    fi

    # Extra the license key from the settings file
    if [ "${LICENSE_KEY}" = "" ]; then
        echo "Fatal: no license key found. Quitting.."
        LogText "Error: no license key was specified in the profile (${PROFILE})"
        ExitFatal
    else
        Output "License key = ${LICENSE_KEY}"
        # Create a temporary file to use during upload (prevent license key being displayed in process table)
        CreateTempFile || ExitFatal
        LICENSE_KEY_FILE="${TEMP_FILE}"
        echo "${LICENSE_KEY}" | ${TRBINARY} -cd '[a-f0-9-]' > ${LICENSE_KEY_FILE}
    fi


#####################################################################################
#
# JOB CONTROL
#
#####################################################################################


    # Check report file
    if [ -f ${REPORTFILE} ]; then

        Output "${WHITE}Report file found.${NORMAL} Starting with content check."

        FIND=$(${GREPBINARY} "finish=true" ${REPORTFILE})
        if [ $? -gt 0 ]; then ExitFatal "The report is not complete, skipping upload"; fi

        Output "${WHITE}Report file found.${NORMAL} Starting with connectivity check."

            if [ ! "${UPLOAD_PROXY_SERVER}" = "" ]; then
                LogText "Upload: Proxy is configured: ${UPLOAD_SERVER}"
                # Port is optional
                if [ ! "${UPLOAD_PROXY_PORT}" = "" ]; then
                    LogText "Upload: Proxy port number is ${UPLOAD_PROXY_PORT}"
                    UPLOAD_PROXY_PORT=":${UPLOAD_PROXY_PORT}"
                fi
                LogText "Upload: Proxy protocol is ${UPLOAD_PROXY_PROTOCOL}"
                case ${UPLOAD_PROXY_PROTOCOL} in
                    "http"|"https")
                        UPLOAD_PROXY="${UPLOAD_PROXY_PROTOCOL}://${UPLOAD_PROXY_SERVER}${UPLOAD_PROXY_PORT}"
                        CURL_OPTIONS="${CURL_OPTIONS} --proxy ${UPLOAD_PROXY}"
                    ;;
                    "socks5")
                        UPLOAD_PROXY="${UPLOAD_PROXY_SERVER}${UPLOAD_PROXY_PORT}"
                        CURL_OPTIONS="${CURL_OPTIONS} --socks5 ${UPLOAD_PROXY}"
                    ;;
                    *)
                        echo "Unknown protocol. Please report to lynis-dev@cisofy.com"
                        ExitFatal
                    ;;
                esac
            fi

            # Currently compressed uploads are not supported yet on central node. Therefore default value is set to 0.
            #if [ ${COMPRESSED_UPLOADS} -eq 1 ]; then
            #    CURL_OPTIONS="${CURL_OPTIONS} --compressed -H 'Content-Encoding: gzip'"
            #fi


        # License check

        LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null"
        UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null)

        EXITCODE=$?
        LogText "Exit code: ${EXITCODE}"
        if [ ${EXITCODE} -gt 0 ]; then

            Display --indent 2 --text "- License check" --result "FAILED" --color RED

            echo ""

            case ${EXITCODE} in
                    2)
                        LogText "Result: could not initialize"
                        LogText "Possible cause: most likely your cURL version is too old and does not support the --data-urlencode option."
                        LogText "Suggestion: copy the data to a different server and use a new cURL version there, or use the Lynis Collector tool."
                        echo "${RED}Error (2)${NORMAL}: could not initialize cURL."
                        ;;
                    5)
                        LogText "Result: could not resolve the defined proxy server (${UPLOAD_PROXY_SERVER})."
                        LogText "Suggestion: check if the proxy is properly defined in the profile."
                        echo "${RED}Error (5)${NORMAL}: could not use the defined proxy (${UPLOAD_PROXY_SERVER}). See ${LOGFILE} for details."
                        ;;
                    6)
                        echo "${RED}Error (6)${NORMAL}: Could not resolve the hostname of central server."
                        ;;
                    7)
                        LogText "Result: could not contact license server."
                        LogText "Details: used URL ${LICENSE_SERVER_URL}"
                        LogText "Suggestion: check if the upload host is correctly configured."
                        echo "${RED}Error (7)${NORMAL}: license server not available."
                        ;;
                    59)
                        echo "${RED}Error (59)${NORMAL}: Could not connect because of used SSL cipher."
                        LogText "Result: SSL cipher used is not understood or accepted."
                        ;;
                    60)
                        echo "${RED}Error (60)${NORMAL}: Self-signed certificate used on Lynis Enterprise node${NORMAL}"
                        echo "If you want to accept a self-signed certificate, configure your profile and set the -k option in the upload-options."
                        echo "Example: ${WHITE}$0 configure settings upload-options=-k${NORMAL}"
                        LogText "Result: found self-signed certificate, however cURL -k option not used."
                        ;;
                    77)
                        echo "${YELLOW}Error (77)${NORMAL}: Could not use CA certificates to check certificate chain. See ${LOGFILE} for details."
                        LogText "Result: could not use CA certificates to check certificate chain"
                        LogText "Possible cause: missing CA certificates, or no permissions to access them"
                        LogText "Suggestion: update your ca-certificates package. Usually updating your packages already solves the issue with missing CA certificates."
                        ;;
                    83)
                        echo "${YELLOW}Error (83)${NORMAL}: Could not check used certificate of server. See ${LOGFILE} for details." ;;
                    *)
                        echo "${RED}Upload Error: ${NORMAL}cURL exited with code ${EXITCODE}. See ${LOGFILE} for details."
                        LogText "Result: cURL exited with code ${EXITCODE}. See man page of cURL for the meaning of this code."
                        ;;
            esac

            echo ""
            echo "${RED}Upload Error${NORMAL}: License could not be checked. See ${LOGFILE} for details."
            echo "Suggested command: tail -n 20 ${LOGFILE}"
            echo ""

            LogText "Suggestion: run the cURL command manually without the options -s and -S"
            LogText "Result: quitting, can't check license"
            # Quit if license is not valid, to reduce load on both client and server.
            ExitFatal
        fi

        UPLOAD_CODE=$(echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}')
        if [ "${UPLOAD_CODE}" = "100" ]; then
            Output "${WHITE}License is valid${NORMAL}"
            LogText "Result: license is valid"
            Display --indent 2 --text "- License check" --result "${STATUS_DONE}" --color GREEN
        else
            LogText "Result: error while checking license"
            LogText "Output: ${UPLOAD_CODE}"
            echo "${RED}Fatal error: ${WHITE}Error while checking the license.${NORMAL}"
            echo ""
            echo "Possible causes and steps you can take:"
            echo "- Connection with license server could not be established (try address in your web browser)"
            echo "- Incorrect server has been configured in profile"
            echo "- License is expired (listed in Configuration screen) or No credits left (listed in Configuration screen)"
            echo "- Collector version of Lynis version outdated (upgrade to latest version of Lynis and/or Lynis Collector)"
            echo ""
            echo "If you need support in solving this, please contact support@cisofy.com and include this screen output."
            echo ""
            echo "URL: ${LICENSE_SERVER_URL}"
            echo "Key: ${LICENSE_KEY}"
            Output "Debug information: ${UPLOAD}"
            # Quit
            ExitFatal
        fi

        # Check for host IDs
        if [ -n "${HOSTID}" -a -n "${HOSTID2}" ]; then
            Output "${WHITE}Found hostid: ${HOSTID}${NORMAL}"
            # Try to connect
            Output "Uploading data.."
            LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
            LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
            LogText "Tip: to just retry an upload, use: lynis upload-only"
            UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null)
            EXITCODE=$?
            LogText "Exit code: ${EXITCODE}"
            if [ ${EXITCODE} -gt 0 ]; then
                Display --indent 2 --text "- Data upload (${UPLOAD_SERVER})" --result "${STATUS_FAILED}" --color RED

                echo ""
                echo "${RED}Upload Error${NORMAL}: cURL could not upload data. See ${LOGFILE} for details."
                echo "Suggested command: tail -n 20 ${LOGFILE}"
                echo ""
                case ${EXITCODE} in
                    5) echo "${YELLOW}Error (5): ${NORMAL}Could not resolve the hostname of the proxy." ;;
                    6) echo "${YELLOW}Error (6): ${NORMAL}Could not resolve the hostname of central server." ;;
                    7) echo "${YELLOW}Error (7): ${NORMAL}Could not connect to central server or proxy server." ;;
                    59) echo "${YELLOW}Error (59): ${NORMAL}Could not connect because of used SSL cipher." ;;
                    83) echo "${YELLOW}Error (83): ${NORMAL}Could not check used certificate of server." ;;
                    *) echo "Related exit code: ${YELLOW}${EXITCODE}${NORMAL}. See man page of cURL for the meaning of this code." ;;
                esac
                if [ ! "${UPLOAD}" = "" ]; then echo ""; echo "Debug:"; echo ${UPLOAD}; fi
                echo ""
                # Quit
                ExitClean
            else
                Display --indent 2 --text "- Data upload (${UPLOAD_SERVER})" --result "${STATUS_DONE}" --color GREEN
            fi
        else
            echo "${RED}Error${NORMAL}: No hostid and/or hostid2 found. Can not upload report file."
            echo "Suggested command: lynis generate hostids --save"
            echo ""
            echo "Note: do not replicate the values to other systems, as it needs to be unique per system"

            # Quit
            ExitFatal
        fi
    else
         Output "${YELLOW}No report file found to upload.${NORMAL}"
         ExitFatal
    fi

#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
